:~$ strings /bin/login | grep -E 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' /bin/bash /bin/bash
On Fri, May 14, 2010 at 12:51 PM, Daniel Cid <[email protected]> wrote: > Hey, > > Yes, it seems a false positive. Can someone with this problem run > > strings /bin/login | grep -E > 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' > > That will show us which part of the signature is wrong. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Wed, May 12, 2010 at 1:42 PM, grape <[email protected]> wrote: > > I had the same alert as you did. Found the following thread: > > http://art.ubuntuforums.org/showthread.php?t=1465667 > > Hope it helps. > > > > Steve > > > > On May 3, 1:43 pm, Charlie <[email protected]> wrote: > >> anyone else seeing this? > >> > >> Received From: Nyar->rootcheck > >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event > >> (rootcheck)." > >> Portion of the log(s): > >> > >> Trojaned version of file '/bin/login' detected. Signature used: > >> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' (Generic). > > >
